The security of information systems (IS) continues to be one of the most serious issues of the twenty-first century. Past research indicates human factors to be the prime reason for IS security breaches. Human factors are repertoires of behavior that evolve from the reasoning and actions that individuals follow. These actions become the 'theories of action' individuals espouse and their 'theories-in-use', which are the actions they actually use. We argue that IS security problems occur when an organization's 'espoused theory' and their 'theory-in-use' (what they actually do) are contradictory. It is important, therefore, that human factors be addressed in (IS) security. The current focus on technological methods alone is an incomplete solution. The purpose of this paper is to present double loop learning as a strategy for designing and implementing security actions that bring an organization's 'espoused theory' and their 'theory-in-use' (what they actually do) into congruence . Indeed, by doing so double loop learning is a proactive security method that never becomes outdated.